Change Details

PBR rules can reference firewall groups, similar to normal firewall rules. However, with the change to `nftables`, these names currently don't resolve in the policy code. Here's an example for a `network-group`: ``` set firewall group network-group RFC1918 network '192.168.0.0/16' set firewall group network-group RFC1918 network '10.0.0.0/8' set firewall group network-group RFC1918 network '172.16.0.0/12' set policy route BEAR rule 1 destination group network-group RFC1918 commit ``` this fails with ``` [ policy route BEAR ] Failed to apply policy based routing [[policy route BEAR]] failed Commit failed ``` Running `nft -c -f /run/nftables_policy.conf` reveals that the named network group `RFC1918` (which is defined as a variable in `/run/nftables.conf`) is not known: ``` /run/nftables_policy.conf:11:19-27: Error: unknown identifier 'N_RFC1918' ip daddr $N_RFC1918 counter return comment "BEAR-1" ^^^^^^^^^ ``` I am uncertain whether moving all the `define` stuff from `nftables.conf` into a separate file and then including it in `nftables*.conf` would work, but theoretically, it should, e.g. with something like this: ``` #!/usr/sbin/nft -f # include a single file using an absolute path include "/run/nftables_define.conf" ```

PBR rules can reference firewall groups, similar to normal firewall rules. However, with the change to `nftables`, these names currently don't resolve in the policy code. Here's an example for a `network-group`: ``` set firewall group network-group RFC1918 network '192.168.0.0/16' set firewall group network-group RFC1918 network '10.0.0.0/8' set firewall group network-group RFC1918 network '172.16.0.0/12' set policy route BEAR rule 1 destination group network-group RFC1918 commit ``` this fails with ``` [ policy route BEAR ] Failed to apply policy based routing [[policy route BEAR]] failed Commit failed ``` Running `nft -c -f /run/nftables_policy.conf` reveals that the named network group `RFC1918` (which is defined as a variable in `/run/nftables.conf`) is not known: ``` /run/nftables_policy.conf:11:19-27: Error: unknown identifier 'N_RFC1918' ip daddr $N_RFC1918 counter return comment "BEAR-1" ^^^^^^^^^ ``` I am uncertain whether moving all the `define` stuff from `nftables.conf` into a separate file and then including it in `nftables*.conf` would work, but theoretically, it should, e.g. with something like this: ``` #!/usr/sbin/nft -f # include a single file using an absolute path include "/run/nftables_defines.conf" ```

PBR rules can reference firewall groups, similar to normal firewall rules. However, with the change to `nftables`, these names currently don't resolve in the policy code. Here's an example for a `network-group`: ``` set firewall group network-group RFC1918 network '192.168.0.0/16' set firewall group network-group RFC1918 network '10.0.0.0/8' set firewall group network-group RFC1918 network '172.16.0.0/12' set policy route BEAR rule 1 destination group network-group RFC1918 commit ``` this fails with ``` [ policy route BEAR ] Failed to apply policy based routing [[policy route BEAR]] failed Commit failed ``` Running `nft -c -f /run/nftables_policy.conf` reveals that the named network group `RFC1918` (which is defined as a variable in `/run/nftables.conf`) is not known: ``` /run/nftables_policy.conf:11:19-27: Error: unknown identifier 'N_RFC1918' ip daddr $N_RFC1918 counter return comment "BEAR-1" ^^^^^^^^^ ``` I am uncertain whether moving all the `define` stuff from `nftables.conf` into a separate file and then including it in `nftables*.conf` would work, but theoretically, it should, e.g. with something like this: ``` #!/usr/sbin/nft -f # include a single file using an absolute path include "/run/nftables_defines.conf" ```